Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,000 --> 00:00:07,200
Welcome on this lesson we'll be using a ransomware, please do this practice in your windows virtual machine
2
00:00:08,900 --> 00:00:17,233
File type. File type identification is essential to identify the malware's target operating system and its architecture.
3
00:00:18,700 --> 00:00:23,333
Windows executables files are PE format.
4
00:00:24,833 --> 00:00:31,833
On this lesson we are going to learn how to identify the file under analysis
5
00:00:32,100 --> 00:00:38,233
first we start our Windows virtual machine
6
00:00:40,766 --> 00:00:49,732
Before start I must warn you we are using the malware sample Rams1 which is a type of ransomware, we already talk about precautions
7
00:00:49,733 --> 00:00:53,733
in section “Before start any lab”
8
00:00:57,200 --> 00:01:05,500
First we start peStudio tool, run it as administrator and load Rams1 dot exe.
9
00:01:16,200 --> 00:01:20,200
here it is, and there we go
10
00:01:26,733 --> 00:01:34,966
You can see among many other information this file turns out to be a 32 bits file,
11
00:01:36,433 --> 00:01:43,133
Now let me point out something, as a rule of thumb you should never trust only one tool,
12
00:01:43,133 --> 00:01:53,033
then we are opening this also in CFF explorer, Once you have it installed just clic right on the executable and you’ll see the option
13
00:01:58,900 --> 00:02:01,433
there we go
14
00:02:02,000 --> 00:02:13,433
We can confirm, this is a 32 bits file and its signature is .net, it means was compiled in microsoft visual studio .net.
15
00:02:13,433 --> 00:02:18,499
These two tools give us a lot of info, feel free to explore them.
16
00:02:19,500 --> 00:02:27,600
Now we’ll scan our binary online using this trYd tool, you have the link in your resource section.
17
00:02:27,800 --> 00:02:30,800
lets upload our binary
18
00:02:40,000 --> 00:02:43,000
and press start
19
00:02:45,766 --> 00:02:54,466
What this tool Is telling us is that is 79% percent sure this file is a .net assembly
20
00:02:54,466 --> 00:03:00,099
Maybe you’re wondering why bother to scan the binary on several tools.
21
00:03:00,100 --> 00:03:07,333
Well believe me sometimes the results are contradictory then is worth to try a few tools.
22
00:03:08,733 --> 00:03:14,099
Ok lets continue, now open rams1 in cff explorer
23
00:03:14,100 --> 00:03:22,366
And I am going to teach you how to identify the file type manually using the information in the portable structure.
24
00:03:22,366 --> 00:03:31,132
You may have noticed that peStudio and cff explorer tools are getting info from our binary portable structure.
25
00:03:31,133 --> 00:03:41,233
We’ll find many useful information here and we’ll dig in on this along the course, so don’t worry If you don’t understand this now
26
00:03:41,233 --> 00:03:50,466
We select address converter and what we have here is Rams1 binary hexadecimal dump,
27
00:03:50,466 --> 00:04:00,899
there is no way to falsify the hex dump,
If you remember our lesson about Portable Structure you’ll recognize this 4d 5a,
28
00:04:00,900 --> 00:04:06,100
this unequivocally id this file as a windows file
29
00:04:06,100 --> 00:04:10,100
And what about the architecture?
30
00:04:10,100 --> 00:04:19,366
Well we must locate the line with PE on it and look for this 4c 01, What this means?
31
00:04:19,366 --> 00:04:23,366
Let me show you in this great online converter
32
00:04:29,533 --> 00:04:40,333
Lets put here 4c01, analyze data and look for something call little endian which is the notation our hex dump use,
33
00:04:40,333 --> 00:04:44,333
and we found it translates 14c.
34
00:04:44,500 --> 00:04:53,266
Now lets visit the oficial portable structure microsoft site to find out what means 14c
35
00:04:53,866 --> 00:05:00,732
and is equivalent to i386 proccessor you may know this means 32 bits.
36
00:05:00,733 --> 00:05:07,566
Then now we are 100 percent sure this binary is 32/86 bits.
37
00:05:10,200 --> 00:05:24,266
Now how do you know if this file is 64 bits, well easy if you don’t see here this 4c 01, well then this file is 64 bits, that's it.
38
00:05:24,266 --> 00:05:28,732
Please join me to fingerprint this file in the next lesson
4545
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.